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ICO accreditation requirements for a UK GDPR code of 
conduct monitoring bodies 


General Notes: 


The UK GDPR introduced a number of data protection requirements for data 
controllers and processors. It also encourages the development of voluntarv 
compliance activities including codes of conduct in order for data controllers and 
processors to demonstrate their effective application of the UK GDPR. 


Article 41(1) of the UK GDPR states that compliance monitoring of approved 
codes of conduct mav be carried out bv an impartial monitoring bodv which has 
an appropriate level of expertise in relation to the subject-matter of the code 
and is accredited for that purpose bv the commissioner (hereinafter referred to 
as ICO). Set out in Article 57(1)(P) is a requirement for the ICO to publish these 
criteria. 


The UK GDPR guidelines set out a broad framework for the tvpe and structure of 
a monitoring bodv, taking into account the code itself and therebv allowing some 
flexibilitv. Code owners will put forward proposals for their code 

monitoring bodv and Article 41(2) sets out a number of requirements which the 
proposed monitoring bodv needs to meet in order to gain accreditation. 
Monitoring bodies must: - 


e Demonstrate independence and expertise in relation to the subject matter 
of the code as per Article 41(2)(a). 

e Demonstrate established procedures which allow it to assess the eligibility 
of controllers and processors concerned to apply the code, to monitor 
their compliance with its provisions and to periodically review its operation 
as per Article 41(2)(b). 

e Demonstrate established procedures and structures to handle complaints 
about infringements of the code or the manner in which the code has 
been, or is being, implemented by a controller of processor, and to make 
those procedures and structures transparent to data subjects and the 
public as per Article 41(2)(c). 

e Demonstrate to the satisfaction of the commissioner that its tasks and 
duties do not result in a conflict of interest as per Article 41(2)(d). 
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Accreditation Requirements: 


Applications for monitoring bodv accreditation must be submitted in 
English or Welsh with all supporting documents to the ICO. 


The ICO reserves the right to conduct a risk-based review of the 
monitoring body periodicallv to ensure that the body still meets the 
requirements for accreditation. Such a review could be initiated by (but 
is not limited to): amendments to the code of conduct, substantial 
changes to the monitoring body or the monitoring body failing to deliver 
its monitoring functions. 


The monitoring body will retain its accreditation status unless the 
outcome of the ICO periodic review concludes that the requirements for 
accreditation are no longer met. 


The introduction of a new or additional monitoring body for a code of 
conduct will require the new body to be assessed in line with the 
accreditation criteria. 


The requirements listed in this document shall apply to a monitoring 
body regardless of whether it is an internal or external body, unless the 
requirement states otherwise. 


Page | 2 


1. Independence 


Explanatorv Note: 


The requirements below set out what constitutes independence. This needs to be 
demonstrated within four main areas: legal and decision-making procedures, 
financial, organisational and accountabilitv. Independence for a monitoring bodv 
can be understood as a series of formal rules and procedures for the 
appointment, terms of reference and operation of the monitoring bodv. These 
rules and procedures will allow the monitoring bodv to perform its monitoring 
tasks without influence from members of the code or its code owner. 


Monitoring bodies will be structured and managed to safeguard their 
independence and impartialitv and will be required to demonstrate this to the 
ICO in their submission. 


The monitoring bodv could be an internal or external bodv as long as evidence 
can be provided of adequate procedures and rules that allow monitoring of 
compliance with a code independentiv and without undue pressure or influence 
from the code owner or the code members. Internal bodies shall provide 
evidence to ensure that the independence of their monitoring activities are not 
compromised. 


1.1 Legal and decision-making procedures 


Requirements: 


1.1.1 The monitoring body shall be appropriately independent in relation to the 
code members, the profession, industry or sector to which the code applies and 
the code owner itself. 


1.1.2 The monitoring body shall demonstrate that it will act independently in its 
choice and application of its actions and sanctions. This could be evidenced by 
formal rules for appointment, terms of reference, powers and operation of any 
committees or personnel that may be involved with an internal monitoring body 
(such committees or personnel shall be free from any commercial, financial and 
other pressures that might influence decisions). 


1.1.3 The monitoring body shall provide evidence during the application process 
that their personnel can act independently and without undue pressure or 
influence in relation to: 


a. supervision of resources and finances of the monitoring body; 


b. decisions on and performance of compliance monitoring; and 
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c. safeguarding of impartialitv. 


Such evidence can include but is not limited to documented recruitment 
processes, job descriptions, risk registers, risk treatments, meeting minutes and 
other documented processes as appropriate. 


1.1.4 The monitoring bodv shall not provide anv services to code members that 
would adverselv affect its independence. 


1.2 Financial 


Requirements: 


1.2.1 The monitoring bodv shall demonstrate that it has the financial stabilitv 
and resources, for the operation of its activities and to meet its liabilities. 


1.2.2 The monitoring bodv shall be able to manage their budget and resources 
independentiv and effectivelv monitor compliance without anv form of influence 
from the code owner or code members. 


1.2.3 The monitoring bodv shall demonstrate to the ICO the means bv which it 
obtains financial support for its monitoring role and explain how this does not 
compromise its independence. 


1.3 Organisational 


Requirements: 


1.3.1 An internal monitoring bodv shall provide information concerning its 
relationship to its larger entitv (for example, the code owner) and shall evidence 
its impartialitv. This could be demonstrated with evidence that mav include 
information barriers, separate reporting and separate operational and 
management functions. 


1.3.2 The monitoring bodv shall demonstrate organisational independence, for 
example, an internal monitoring bodv mav use different logos or names where 
appropriate. 


1.3.3 The monitoring body shall demonstrate that it has adequate resources and 
personnel to effectively perform its tasks, that it is able to act independently 
from code owners and code members and is protected from interference or 
sanctions as a result of this duty. 


1.3.4 Where a monitoring body uses sub-contractors, it shall ensure that 
sufficient guarantees are in place in terms of the knowledge, reliability and 
resources of the sub-contractor and obligations applicable to the monitoring 
body are applicable in the same way to the sub-contractor. The use of 
subcontractors does not remove the responsibility of the monitoring body. This 
could be demonstrated with evidence that may include: 
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a. written contacts or agreements to outline for example 
responsibilities, confidentialitv, what tvpe of data will be held and a 
requirement that the data is kept secure; 


b. a clear procedure for subcontracting shall also be documented and 
include the conditions under which this may take place, an approval 
process and the monitoring of subcontractors; and 


c. the monitoring body shall ensure sufficient documented procedures 
to guarantee the independence, expertise and lack of conflicts of 
interests of the sub-contractors. 


1.4 Accountability 


Requirements: 


1.4.1 The monitoring body shall provide evidence to demonstrate that it is 
accountable for its decisions and actions, for example, by setting out a 
framework for its roles and reporting procedures and its decision-making process 
to ensure independence. Such evidence could include but is not limited to job 
descriptions, management reports and policies to increase awareness among the 
personnel about the governance structures and the procedures in place (e.g. 
training). 


1.4.2 Any decisions made by the monitoring body related to its functions shall 
not be subject to approval by any other organisation, including the code owner. 


2. Conflict of interest 


Explanatory Note: 


The requirements below aim to ensure that the monitoring body can deliver its 
monitoring activities in an impartial manner, identifying situations that are likely 
to create a conflict of interest and taking steps to avoid them. 


It will be for the monitoring body to explain the approach to safeguard 
impartiality and to evidence the mechanisms to remove or mitigate these risks 
as appropriate. Examples of sources of risks to impartiality of the monitoring 
body could be based on ownership, governance, management, personnel, 
shared resources, finances, contracts, outsourcing, training, marketing and 
payment of sales commission. 
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Requirements: 


2.1 The monitoring body shall have a process to identify, analyse, evaluate, 
treat, monitor and document on an ongoing basis any risks to impartiality arising 
from its activities. The monitoring body personnel shall undertake to comply with 
these requirements and to report any situation likely to create a conflict of 
interest. 


2.2 The monitoring body shall choose or direct and manage its personnel. This 
could be demonstrated by providing evidence which includes job descriptions, 
personnel records, recruitment personnel resource allocations and line 
management arrangements. 


2.3 The monitoring body shall ensure that it does not seek or take instructions 
from any person, organisation or association and shall remain free from external 
influence. 


2.4 The monitoring body shall be protected from sanctions or interference by the 
code owner, other relevant bodies or members of the code. 


3. Expertise 


Explanatory Note: 


The requirements below aim to ensure that the monitoring body possesses 
adequate competencies to undertake effective monitoring of a code. More 
detailed expertise requirements will be defined in the relevant code itself. Code 
specific requirements will be dependent upon such factors as: the size of the 
sector concerned, the different interests involved and the risks of the processing 
activities. These code specific requirements will be considered as part of the 
accreditation. 


In order for a monitoring body to meet the expertise requirements, it will need 
to demonstrate that its personnel have the required knowledge and experience 
in relation to the sector, processing activity, data protection legislation and 
auditing, in order to carry out compliance monitoring in an effective manner. 
This could be demonstrated to the ICO with evidence that includes personnel job 
descriptions, specification requirements, qualifications, required or relevant 
experience, published reports etc. 


Requirements: 


3.1 The monitoring body shall demonstrate that it has an in-depth 
understanding, knowledge and experience in relation to the specific data 
processing activities in relation to the code. Evidence as to whether it has 
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recognised expertise mav include its status as a recognised and traceable 
professional standards bodv, internal committee, trade association, interest 
group, federation, societv or sectoral, legal, audit bodv or similar. 


3.2 The monitoring body shall ensure that personnel conducting its monitoring 
functions or making decisions on behalf of the monitoring body have appropriate 
sectoral and data protection expertise and operational experience, training and 
qualifications such as previous experience in auditing, monitoring or quality 
assurance. 


3.3 The monitoring body shall demonstrate that it meets the expertise 
requirements in 3.1 and 3.2 above and also the relevant expertise requirements 
as defined in the code of conduct. 


4. Established procedures and structures 


Explanatory Note: 


The requirements below aim to ensure that the proposals for monitoring are 
operationally feasible, by specifically outlining the monitoring process and 
demonstrating how it will deliver the code's monitoring mechanism. 


The monitoring body will need to demonstrate to the ICO established 
procedures, structures and resources to assess the eligibility of 
controllers/processors to apply the code, monitor compliance with the code and 
to carry out periodic reviews of the code's operation. 


Monitoring procedures must take into account the risk raised by the data 
processing, complaints received and the number of members of the code. These 
procedures could lead to the publication of monitoring information including 
audit or summary reports or periodic outcomes reporting of findings. 


The monitoring body shall apply the corrective measures as defined in the code 
of conduct. 


Requirements: 


4.1 The monitoring body shall demonstrate that they have a procedure to 
check eligibility of members to comply with the code, for example, their 
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processing of personal data falls within the scope of the relevant code of 
conduct. 


4.2 The monitoring body shall demonstrate that they have a procedure to 
provide compliance monitoring to be carried out over a defined period taking 
into account such things as: the complexity and risks involved, number of code 
members, geographical scope and complaints received. 


4.3 The monitoring body shall demonstrate that their audit or review 
procedures define the criteria to be assessed, the type of assessment to be used 
and a procedure to document the findings. Review procedures can include such 
things as: audits, inspections, reporting and the use of self-monitoring reports or 
questionnaires. 


4.4 The monitoring body shall demonstrate that they have a procedure for the 
investigation, identification and management of code member infringements to 
the code and additional controls to ensure appropriate action is taken to remedy 
such infringements as set out in the relevant code of conduct. 


4.5 The monitoring body shall be responsible for the management of all 
information obtained or created during the monitoring process. Monitoring body 
shall ensure that personnel will keep all information obtained or created during 
the performance of their tasks confidential, unless they are required to disclose 
or are exempt by law. 


5. Transparent complaints handling 


Explanatorv Note: 


Transparent and publicly available procedures and structures to handle 
complaints in relation to both code members and the monitoring body from 
different sources are an essential element for code monitoring. This process will 
be sufficiently resourced and managed, and personnel will demonstrate sufficient 
knowledge and impartiality. 


In order to meet these requirements, the monitoring body will need to provide 
evidence of a documented, independent, and transparent complaints handling 
process to receive, evaluate, track, record and resolve complaints within a 
reasonable time frame. 


We would normally expect the resolution of non-complex complaints to be dealt 
with within three months. 
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Requirements: 


5.1 Complaints about code members: 


5.1.1 The monitoring bodv shall provide evidence of a clear framework for a 
publicly available, accessible and easily understood complaints handling and 
decision-making process. 


5.1.2 The monitoring bodv shall acknowledge receipt of the complaint and 
provide the complainant with a progress report or the final decision of the 
investigation within a reasonable time, such as three months. 


5.1.3 The monitoring bodv shall provide evidence of suitable corrective 
measures, as defined in the code of conduct, in cases of infringement with the 
code to stop the infringement and avoid future re-occurrence. Such sanctions 
could also include, training, issuing a warning, report to the board of the 
member, formal notice requiring action, suspension or exclusion from the code. 


5.1.4 The monitoring bodv shall provide evidence of their process for notifving 
the ICO immediatelv and without undue delav about the measures taken and 
justification of anv infringements leading to code member suspension or 
exclusion. 


5.1.5 The monitoring bodv shall maintain a record of all complaints and actions 
which the ICO can access at any time. 


5.1.6 Decisions of the monitoring body shall be made publicly available in line 
with its complaints handling procedure. This information could include but is not 
limited to, general statistical information concerning the number and tvpe of 
complaints/infringements and the resolutions/corrective measures issued and 
shall include information concerning anv sanctions leading to suspensions or 
exclusions of code members. 


5.2 Complaints against the monitoring body: 


5.2.1 The monitoring body shall provide evidence of a clear framework for a 
publicly available, accessible and easily understood complaints handling and 
decision-making process in relation to complaints made against them. 


5.2.2 The monitoring body shall have a documented process to receive, 
evaluate and make decisions on complaints made about its monitoring 
responsibilities and activities. 


5.2.3 The monitoring body shall assist in the investigation and resolution of any 
complaints about the monitoring body to the ICO. 
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5.3 Appeal and complaints about decisions made by the monitoring body: 


5.3.1 The monitoring body shall provide evidence of a clear framework for a 
publicly available, accessible and easily understood complaints handling and 
decision-making process in relation to complaints made about its decisions. 


5.3.2 The monitoring body shall have a documented appeals process which shall 
be made publicly available, accessible and be easily understood and transparent. 


5.3.3 The handling process for appeals shall include at least the following: 


a. a description of the process for receiving, validating, investigating 
the appeal and deciding what actions are to be taken in response to 
it; 


b. tracking and recording appeals, including actions undertaken to 
resolve them; and 


c. ensuring that any appropriate action is taken in a timely manner. 


5.3.4 The monitoring body shall acknowledge receipt of the appeal and provide 
progress reports and the final decision to the relevant party. 


6. Communicating with the ICO 


Explanatory Note: 


The section below sets out the information the monitoring body will provide to 
the ICO. This includes information concerning any suspension or exclusion of 
code members and any substantial changes to its own status. 


It is envisaged that suspension or exclusion of code members will only apply in 
serious circumstances and code members would first have the opportunity to 
take suitable corrective measures as appropriate and agreed with the monitoring 
body. 


The monitoring body is accredited on the basis of fulfilling all requirements at 
the time of accreditation, and continuing to fulfil those requirements in order to 
effectively perform its function. Any subsequent substantial changes relating to 
the monitoring body’s ability to function independently and effectively, its 
expertise and any conflict of interests would result in a review of its 
accreditation. 
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Requirements: 


6.1 The monitoring bodv shall evidence a clear framework to allow for reporting 
of any suspensions or exclusions of code members to the ICO. This reporting 
shall require as a minimum: 


a. inform the ICO promptly and in writing of any suspension or 
exclusion providing valid reasons for the decision; 

b. provide information outlining details of the infringement and 
actions taken; and 

c. provide evidence that they have taken action in line with their 
suspension or exclusion process. 


6.2 The monitoring body shall have a documented procedure for lifting the 
suspension or exclusion of a code member and notifying that code member and 
the ICO of the outcome of the review or investigation. 


6.3 Substantial changes to the monitoring body may include but are not 
limited to: 


a. its legal, commercial, ownership or organisational status and key 
personnel; 

b. resources and location(s); and 

c. any changes to the basis of accreditation. 


6.4 The monitoring body shall report any substantial changes to the ICO 
immediately and without undue delay. 


6.5  Substantial changes would result in a review of the accreditation. 


7. Code review mechanisms 


Explanatorv Note: 


Monitoring bodies have a kev role in contributing to the review of the code in 
accordance with the review mechanisms outlined in the code. As a result of a 
code review, amendments or extensions to the code may be made by the code 
owner. 


Requirements: 


7.1 The monitoring body will contribute to reviews of the code as required by 
the code owner and shall therefore ensure that it has documented plans and 
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procedures to review the operation of the code to ensure that the code 
remains relevant to the members and continues to meet the application of the 
UK GDPR. 


7.2 The monitoring body shall also provide the code owner and any other 
establishment or institution referred to in the code of conduct with an annual 


report on.the operation of the code. The re ort shall include: 
a. information concerning new members to the code; 


b. details of any suspensions and exclusions of code members; 

c. confirmation that a review of the code has taken place and that following 
review no amendments to the code are required; 

d. that there are no substantial changes to the monitoring body; and 

e. Information concerning data breaches by code members, complaints 
managed and the type and outcome of monitoring functions that have 
taken place. 


7.3 The monitoring body shall apply code updates and implement 
amendments and extensions to the code as instructed by the code owner. 


7.4 The monitoring body shall ensure that information concerning its 
monitoring functions is recorded and made available to the ICO as required. 


8. Legal status 


Explanatory Note: 


The monitoring body may be set up or established in a number of different ways, 
for example limited companies or trade associations. However, the overarching 
principle is that whatever form the monitoring body takes, it must demonstrate 
sufficient financial and other resources to deliver its specific duties and 
responsibilities The monitoring body will therefore have to provide evidence to 
the ICO of its legal status including, where practical, the names of owners or 
named responsible officers and, if different, the names of the persons who 
control it. 


Fines could be administered for a monitoring body failing to deliver its 
monitoring functions and failing to take appropriate action when code 
requirements are infringed. A monitoring body will therefore demonstrate that it 
has the appropriate standing to carry out its role under Article 41(4). 


A monitoring body is not responsible for code members’ UK GDPR compliance. 


Requirements: 
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8.1 The monitoring body shall evidence to the ICO that it has the appropriate 
standing to meet the requirements of being fullv accountable in its role with 
sufficient financial and other resources; in particular with reference to s149 and 
s 155 Data Protection Act 2018 and Article 83 of the UK GDPR, being able to 
take appropriate action in line with Article 41, and that it has access to 
adequate resource requirements to fulfil its monitoring responsibilities. Such 
evidence could depend on the structure of the monitoring bodv include (but not 
be limited to): 


a. full companv and business name and date and place of 
incorporation, Memorandum and Articles of Association, details of 
shareholders and directors, registered office and number, 
ownership chart, details of interests in or relationship to anv other 
companv or organisation, joint venture, LLP, partnership or other 
entitv; 

b. evidence of appropriate legal transfers of powers and resources to 
the monitoring bodv, anv relevant resolutions of the relevant 
shareholders or boards of directors (or equivalent for 
unincorporated associations or trade associations or similar), anv 
relevant contracts, undertakings, membership requirements, 
guarantees, formal agreements, terms of reference and 
appointment, and decision making procedures; and 

c. evidence that the monitoring body has adequate financial resources 
to demonstrate how fines will be paid, such that the requirements 
of UK GDPR Article 83(4)(c) and S.155 DPA 2018 can be met. 


8.2 The monitoring body shall be a legal entity, or a defined part of a legal 
entity such that it is legally responsible for its monitoring activities. The 
monitoring body shall agree to be responsible for its monitoring role and 
therefore responsible for a fine under UK GDPR Article 83(4)(c) and S.155 
DPA 2018. 


8.3 The monitoring body shall be established in the UK. 


8.4 The monitoring body shall have adequate resources for specific duties and 
responsibilities over a suitable period of time in accordance with the code. 
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